/// <summary>
/// Validate Token
/// </summary>
/// <param name="jwt"></param>
/// <param name="validationParameters"></param>
/// <returns></returns>
public override ClaimsPrincipal ValidateToken(JwtSecurityToken jwt, TokenValidationParameters validationParameters)
{
// set up valid issuers
if ((validationParameters.ValidIssuer == null) &&
(validationParameters.ValidIssuers == null || !validationParameters.ValidIssuers.Any()))
{
validationParameters.ValidIssuers = new List <string> {
validIssuerString
};
}
// and signing token.
if (validationParameters.SigningToken == null)
{
var resolver = (NamedKeyIssuerTokenResolver)this.Configuration.IssuerTokenResolver;
if (resolver.SecurityKeys != null)
{
IList <SecurityKey> skeys;
if (resolver.SecurityKeys.TryGetValue(audience, out skeys))
{
var tok = new NamedKeySecurityToken(audience, skeys);
validationParameters.SigningToken = tok;
}
}
}
return(base.ValidateToken(jwt, validationParameters));
}
public void JwtSecurityKeyIdentifyier_Extensibility()
{
string clauseName = "kid";
string keyId = Issuers.GotJwt;
NamedKeySecurityKeyIdentifierClause clause = new NamedKeySecurityKeyIdentifierClause(clauseName, keyId);
SecurityKeyIdentifier keyIdentifier = new SecurityKeyIdentifier(clause);
SigningCredentials signingCredentials = new SigningCredentials(KeyingMaterial.SymmetricSecurityKey_256, SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest, keyIdentifier);
JwtHeader jwtHeader = new JwtHeader(signingCredentials);
SecurityKeyIdentifier ski = jwtHeader.SigningKeyIdentifier;
Assert.IsFalse(ski.Count != 1, "ski.Count != 1 ");
NamedKeySecurityKeyIdentifierClause clauseOut = ski.Find <NamedKeySecurityKeyIdentifierClause>();
Assert.IsFalse(clauseOut == null, "NamedKeySecurityKeyIdentifierClause not found");
Assert.IsFalse(clauseOut.Name != clauseName, "clauseOut.Id != clauseId");
Assert.IsFalse(clauseOut.KeyIdentifier != keyId, "clauseOut.KeyIdentifier != keyId");
NamedKeySecurityToken NamedKeySecurityToken = new NamedKeySecurityToken(clauseName, new SecurityKey[] { KeyingMaterial.SymmetricSecurityKey_256 });
Assert.IsFalse(!NamedKeySecurityToken.MatchesKeyIdentifierClause(clause), "NamedKeySecurityToken.MatchesKeyIdentifierClause( clause ), failed");
List <SecurityKey> list = new List <SecurityKey>()
{
KeyingMaterial.SymmetricSecurityKey_256
};
Dictionary <string, IList <SecurityKey> > keys = new Dictionary <string, IList <SecurityKey> >()
{
{ "kid", list },
};
NamedKeyIssuerTokenResolver nkitr = new NamedKeyIssuerTokenResolver(keys: keys);
SecurityKey sk = nkitr.ResolveSecurityKey(clause);
Assert.IsFalse(sk == null, "NamedKeySecurityToken.MatchesKeyIdentifierClause( clause ), failed");
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
JwtSecurityToken jwt = handler.CreateToken(issuer: Issuers.GotJwt, signingCredentials: signingCredentials) as JwtSecurityToken;
handler.Configuration = new SecurityTokenHandlerConfiguration()
{
IssuerTokenResolver = new NamedKeyIssuerTokenResolver(keys: keys),
AudienceRestriction = new AudienceRestriction(AudienceUriMode.Never),
IssuerNameRegistry = new SetNameIssuerNameRegistry("http://GotJwt.com"),
};
handler.ValidateToken(jwt);
}
public override ClaimsPrincipal ValidateToken(JWTSecurityToken jwt, TokenValidationParameters validationParameters)
{
Check.IsNotNull(jwt, "jwt");
Check.IsNotNull(validationParameters, "validationParameters");
diagnostics.WriteInformationTrace(TraceEventId.InboundParameters,
"JWT token details from ACS: {0}, {1}, {2}, {3}",
jwt.Issuer, jwt.ValidFrom, jwt.ValidTo, jwt.RawData);
string audienceUrl;
if (this.Configuration != null)
{
audienceUrl = this.Configuration.AudienceRestriction.AllowedAudienceUris[0].ToString();
}
else
{
audienceUrl = validationParameters.AllowedAudience;
}
// set up valid issuers
if ((validationParameters.ValidIssuer == null) &&
(validationParameters.ValidIssuers == null || !validationParameters.ValidIssuers.Any()))
{
List <string> issuers = new List <string>();
issuers.AddRange(ConfigurationManager.AppSettings["Issuers"].Split(new[] { ',' }));
validationParameters.ValidIssuers = issuers;
}
// setup signing token.
if (validationParameters.SigningToken == null)
{
var resolver = (NamedKeyIssuerTokenResolver)this.Configuration.IssuerTokenResolver;
if (resolver.SecurityKeys != null)
{
List <SecurityKey> skeys;
if (resolver.SecurityKeys.TryGetValue(audienceUrl, out skeys))
{
var tok = new NamedKeySecurityToken(audienceUrl, skeys);
validationParameters.SigningToken = tok;
}
}
}
diagnostics.WriteInformationTrace(TraceEventId.Flow, "Successfully validated JWT token from ACS");
return(base.ValidateToken(jwt, validationParameters));
}
public override System.Collections.ObjectModel.ReadOnlyCollection <System.Security.Claims.ClaimsIdentity> ValidateToken(SecurityToken token)
{
var idConfig = System.IdentityModel.Configuration.SystemIdentityModelSection.Current.IdentityConfigurationElements.GetElement("");
var validationParameters = new TokenValidationParameters()
{
ValidAudience = (idConfig.AudienceUris.Cast <AudienceUriElement>().First()).Value
};
// set up valid issuers
if ((validationParameters.ValidIssuer == null) &&
(validationParameters.ValidIssuers == null || !validationParameters.ValidIssuers.Any()))
{
validationParameters.ValidIssuers = new List <string> {
ValidIssuerString
};
}
// and signing token.
if (validationParameters.IssuerSigningToken == null)
{
var resolver = (NamedKeyIssuerTokenResolver)this.Configuration.IssuerTokenResolver;
if (resolver.SecurityKeys != null)
{
IList <SecurityKey> skeys;
if (resolver.SecurityKeys.TryGetValue(KeyName, out skeys))
{
var tok = new NamedKeySecurityToken(KeyName, "id", skeys);
validationParameters.IssuerSigningToken = tok;
}
}
}
var tokenString = (token as JwtSecurityToken);
ClaimsPrincipal validated = base.ValidateToken(tokenString.RawData, validationParameters, out token);
var result = new ReadOnlyCollection <ClaimsIdentity>(validated.Identities.ToList());
return(result);
}
public void NamedKeySecurityKeyIdentifierClause_Extensibility()
{
string clauseName = "kid";
string keyId = Issuers.GotJwt;
NamedKeySecurityKeyIdentifierClause clause = new NamedKeySecurityKeyIdentifierClause(clauseName, keyId);
SecurityKeyIdentifier keyIdentifier = new SecurityKeyIdentifier(clause);
SigningCredentials signingCredentials = new SigningCredentials(KeyingMaterial.DefaultSymmetricSecurityKey_256, SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest, keyIdentifier);
JwtHeader jwtHeader = new JwtHeader(signingCredentials);
SecurityKeyIdentifier ski = jwtHeader.SigningKeyIdentifier;
Assert.AreEqual(ski.Count, 1, "ski.Count != 1 ");
NamedKeySecurityKeyIdentifierClause clauseOut = ski.Find <NamedKeySecurityKeyIdentifierClause>();
Assert.IsNotNull(clauseOut, "NamedKeySecurityKeyIdentifierClause not found");
Assert.AreEqual(clauseOut.Name, clauseName, "clauseOut.Id != clauseId");
Assert.AreEqual(clauseOut.Id, keyId, "clauseOut.KeyIdentifier != keyId");
NamedKeySecurityToken NamedKeySecurityToken = new NamedKeySecurityToken(clauseName, keyId, new SecurityKey[] { KeyingMaterial.DefaultSymmetricSecurityKey_256 });
Assert.IsTrue(NamedKeySecurityToken.MatchesKeyIdentifierClause(clause), "NamedKeySecurityToken.MatchesKeyIdentifierClause( clause ), failed");
List <SecurityKey> list = new List <SecurityKey>()
{
KeyingMaterial.DefaultSymmetricSecurityKey_256
};
Dictionary <string, IList <SecurityKey> > keys = new Dictionary <string, IList <SecurityKey> >()
{
{ "kid", list },
};
NamedKeyIssuerTokenResolver nkitr = new NamedKeyIssuerTokenResolver(keys: keys);
SecurityKey sk = nkitr.ResolveSecurityKey(clause);
Assert.IsNotNull(sk, "NamedKeySecurityToken.MatchesKeyIdentifierClause( clause ), failed");
}
protected override Task <HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
Check.IsNotNull(request, "request");
HttpStatusCode statusCode;
string token;
if (request.RequestUri.AbsolutePath.Contains("/authenticate"))
{
return(base.SendAsync(request, cancellationToken));
}
if (request.RequestUri.AbsolutePath.Contains("/signout"))
{
return(base.SendAsync(request, cancellationToken));
}
if (request.RequestUri.AbsolutePath.Contains("/SignOutCallback"))
{
return(base.SendAsync(request, cancellationToken));
}
if (request.RequestUri.AbsolutePath.Contains("/windowsLiveAuthorization"))
{
return(base.SendAsync(request, cancellationToken));
}
if (request.RequestUri.AbsolutePath.Contains("api/GetSupportedIdentityProviders"))
{
return(base.SendAsync(request, cancellationToken));
}
if (request.RequestUri.AbsolutePath.Contains("api/SignInCallBack"))
{
return(base.SendAsync(request, cancellationToken));
}
if (!TryRetrieveToken(request, out token))
{
statusCode = HttpStatusCode.Unauthorized;
return(Task <HttpResponseMessage> .Factory.StartNew(() => new HttpResponseMessage(statusCode)));
}
try
{
diagnostics.WriteInformationTrace(TraceEventId.Flow, "Validating bearer token: {0}", token);
string issuersValue = ConfigurationManager.AppSettings["Issuers"];
string signingSymmetricKey = ConfigurationManager.AppSettings["SigningSymmetricKey"];
string allowedAudience = ConfigurationManager.AppSettings["AllowedAudience"];
// Use JWTSecurityTokenHandler to validate the JWT token
ApiJWTSecurityTokenHandler tokenHandler = new ApiJWTSecurityTokenHandler();
List <string> issuers = new List <string>();
issuers.AddRange(issuersValue.Split(new[] { ',' }));
InMemorySymmetricSecurityKey securityKey = new InMemorySymmetricSecurityKey(Convert.FromBase64String(signingSymmetricKey));
NamedKeySecurityToken namedToken = new NamedKeySecurityToken(allowedAudience, new List <SecurityKey>()
{
securityKey
});
// Set the expected properties of the JWT token in the TokenValidationParameters
TokenValidationParameters validationParameters = new TokenValidationParameters()
{
AllowedAudience = allowedAudience,
ValidIssuers = issuers,
SigningToken = namedToken
};
ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(token, validationParameters);
ClaimsIdentity claimsIdentity = (ClaimsIdentity)claimsPrincipal.Identity;
try
{
IUserService userService = (IUserService)GlobalConfiguration.Configuration.DependencyResolver.GetService(typeof(IUserService));
User user = IdentityHelper.GetCurrentUser(userService, claimsPrincipal);
foreach (var role in user.UserRoles)
{
if (!claimsIdentity.HasClaim(ClaimTypes.Role, role.Role.Name))
{
claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, role.Role.Name));
}
}
}
catch (UserNotFoundException)
{
// No need to do anything here because GetUsersByNameIdentifier action in UsersController will take care of sending appropriate http response.
}
Thread.CurrentPrincipal = claimsPrincipal;
if (HttpContext.Current != null)
{
HttpContext.Current.User = claimsPrincipal;
}
diagnostics.WriteInformationTrace(TraceEventId.Flow,
"Authorization token validated successfully");
return(base.SendAsync(request, cancellationToken));
}
catch (SecurityTokenValidationException secutiryTokenValidationException)
{
FederatedAuthentication.WSFederationAuthenticationModule.SignOut(true);
HttpResponseMessage response = request.CreateErrorResponse(HttpStatusCode.Unauthorized, secutiryTokenValidationException);
return(Task <HttpResponseMessage> .Factory.StartNew(() => response));
}
}
